4 1.0.3 released 2012-01-31
8 - Internet Explorer 8 adds support for XMLHttpRequest.prototype,
9 but this support is broken for method overloading. We
10 explicitly disable JavaScript overloading for Internet Explorer.
11 Thanks Kelly Lu for reporting. <lubird@gmail.com>
13 - A global declaration was omitted, resulting in a variable
14 not being properly introduced in PHP 5.3. Thanks Whitney Beck for
15 reporting. <whitney.a.beck@gmail.com>
17 1.0.2 released 2009-03-08
21 - Due to a typo, csrf-magic accidentally treated the secret key
22 as always present. This means that there was a possible CSRF
23 attack against users without any cookies. No attacks in the
24 wild were known at the time of this release. Thanks Jakub
27 1.0.1 released 2008-11-02
31 - Support for composite tokens; this also fixes a bug with using
32 IP-based tokens for users with cookies disabled.
34 - Native support cookie tokens; use csrf_conf('cookie', $name) to
35 specify the name of a cookie that the CSRF token should be
36 placed in. This is useful if you have a Squid cache, and need
37 to configure it to ignore this token.
39 - Tips/tricks section in README.txt.
41 - There is now a two hour expiration time on all tokens. This
42 can be modified using csrf_conf('expires', $seconds).
44 - ClickJacking protection using an iframe breaker. Disable with
45 csrf_conf('frame-breaker', false).
49 - CsrfMagic.send() incorrectly submitted GET requests twice,
50 once without the magic token and once with the token. Reported
51 by Kelly Lu <lubird@gmail.com>.